2013年2月5日 星期二

Tripwire - 即時發現特定檔案異動

會認識這個套件,是因為某台不重要的主機被入侵,檔案被寫入不該有的文字,雖然對網站影響不大,但這是一個警訊。

Tripwire 主要功能是將檔案製作指紋資料庫,當發現某檔案的指紋被變更時才有辦法即時知道。

環境:
  • CentOS release 5.8  i386 (Final) 
安裝方式:
目前網路上查到的方式都是要自行 make file,但是新版的已經有rpm可以用。


目錄架構:
  • 主目錄:/etc/tripwire
  • twcfg.txt:可用來設定 tripwire 的工作環境,可依照你的習慣來調整。
  • twpol.txt:指定 tripwire 對哪些檔案的哪些項目進行監控。
說明:
  • twcfg.txt
    ROOT                      =/usr/sbin
    POLFILE                 =/etc/tripwire/tw.pol
    DBFILE                   =/var/lib/tripwire/$(HOSTNAME).twd
    REPORTFILE         =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
    SITEKEYFILE         =/etc/tripwire/site.key
    LOCALKEYFILE    =/etc/tripwire/$(HOSTNAME)-local.key
    EDITOR                   =/bin/vi
    LATEPROMPTING          =false
    LOOSEDIRECTORYCHECKING   =false
    MAILNOVIOLATIONS                      =true
    EMAILREPORTLEVEL                   =3
    REPORTLEVEL                               =3
    MAILMETHOD                                  =SENDMAIL
    SYSLOGREPORTING                     =false
    MAILPROGRAM                               =/usr/sbin/sendmail -oi -tGLOBALEMAIL                                ="root@localhost,root@192.168.1.25"
    • DBFILE 為指紋資料庫之檔名
    • REPORTFILE 為檢測報告檔之檔名。

  • twpol.txt
    內容太多了,省略....
    重點在於 rulename、severity 群組內的設定。
    (
      rulename = "Invariant Directories",
      severity = $(SIG_MED)
    )
    {
      /                                    -> $(SEC_INVARIANT) (recurse = 0) ;
      /home                                -> $(SEC_INVARIANT) (recurse = 0) ;
      /etc                                 -> $(SEC_INVARIANT) (recurse = 0) ;
    }
    • 基本上可以直接套用預設值。
    • 也可以另外自己創造新的群組,例如我要監控 /var/www 內的網頁資料。
      (
        rulename = "WWW",
        severity = 100
      )
      {
           /var/www/html                             -> $(SEC_CRIT) ;
      }
執行方式:
  1. 設定密碼:
    • # tripwire-setup-keyfiles
    • 執行過程中會要求你設定兩個密碼(pass phrase):
      • site pass phrase :加密 twpol.txt 及 twcfg.txt 時用。
      • local pass phrase:加密指紋資料庫時用。
  2. 從twcfg.txt生成加密配置文件tw.cfg
    # twadmin --create-cfgfile -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt
    此時會提示「
    Please enter your site passphrase」
  3. 用twadmin對策略文件進行語法檢查
    # twadmin -m P /etc/tripwire/twpol.txt
    此時會提示「Please enter your site passphrase」
  4. tripwire數據庫初始化
    # tripwire --init
    會跑1-3分鐘。
  5. 測試email電子郵件通知功能
    # tripwire -m c | mail -s “Tripwire Daily Report from {$HOSTNAME}”  root@localhost ((打上自己的email)
  6. 定時檢查
    • 在 /etc/cron.daily/ 下新增 script: (tw-check)
      #!/bin/bash
      /usr/sbin/tripwire -m c | mail -s “Tripwire Daily Report from {$HOSTNAME}” root@localhost
email報告內容範例:
  • 第一次執行 # tripwire -m c | mail -s “Tripwire Daily Report from {$HOSTNAME}”  root@localhost   時:
    Parsing policy file: /etc/tripwire/tw.pol
    *** Processing Unix File System ***
    Performing integrity check...
    Wrote report file: /var/lib/tripwire/report/202-
    3-168-16-static.unigate.net.tw-20130205-013834.twr
    Open Source Tripwire(R) 2.4.2.2 Integrity Check Report

    Report generated by:          root
    Report created on:            西元2013年02月05日 (週二) 01時38分34秒
    Database last updated on:     Never

    ==============================
    ==============================
    Report Summary:
    ==============================
    ==============================
    Host name:                    oooooooo
    Host IP address:              Unknown IP
    Host ID:                      None
    Policy file used:             /etc/tripwire/tw.pol
    Configuration file used:      /etc/tripwire/tw.cfg
    Database file used:           /var/lib/tripwire/oooooooo.twd
    Command line used:            tripwire -m c

    ==============================
    ==============================
    Rule Summary:
    ==============================
    ==============================
    ------------------------------
    -------------------------------------------------
      Section: Unix File System
    ------------------------------
    -------------------------------------------------
      Rule Name                       Severity Level    Added    Removed  Modified
      ---------                       --------------    -----    -------  --------
      Invariant Directories           66                0        0        0
      Temporary directories           33                0        0        0
    * Tripwire Data Files             100               1        0        0
      Critical devices                100               0        0        0
      User binaries                   66                0        0        0
      Tripwire Binaries               100               0        0        0
      Critical configuration files    100               0        0        0
      Libraries                       66                0        0        0
      Operating System Utilities      100               0        0        0
      Critical system boot files      100               0        0        0
      File System and Disk Administraton Programs
                                      100               0        0        0
      Kernel Administration Programs  100               0        0        0
      Networking Programs             100               0        0        0
      System Administration Programs  100               0        0        0
      Hardware and Device Control Programs
                                      100               0        0        0
      System Information Programs     100               0        0        0
      Application Information Programs
                                      100               0        0        0
      Shell Related Programs          100               0        0        0
      Critical Utility Sym-Links      100               0        0        0
      Shell Binaries                  100               0        0        0
      System boot changes             100               0        0        0
      WWW                             100               0        0        0
      (/var/www/html)
      OS executables and libraries    100               0        0        0
      Security Control                100               0        0        0
      Login Scripts                   100               0        0        0
      Root config files               100               0        0        0

    Total objects scanned:  18817
    Total violations found:  1

    ==============================
    ==============================
    Object Summary:
    ==============================
    ==============================
    ------------------------------
    -------------------------------------------------
    # Section: Unix File System
    ------------------------------
    -------------------------------------------------
    ------------------------------
    -------------------------------------------------
    Rule Name: Tripwire Data Files (/var/lib/tripwire)
    Severity Level: 100
    ------------------------------
    -------------------------------------------------
    Added:
    "/var/lib/tripwire/oooooooo.
    bak"
    ==============================
    ==============================
    Error Report:
    ==============================
    ==============================
    ------------------------------
    -------------------------------------------------
      Section: Unix File System
    ------------------------------
    -------------------------------------------------
    1.   File system error.
         Filename: /dev/kmem
         \xe6\xb2\x92\xe6\x9c\x89\xe6\
    xad\xa4\xe4\xb8\x80\xe6\xaa\x94\xe6\xa1\x88\xe6\x88\x96\xe7\x9b\xae\xe9\x8c\x84
    2.   File system error.
         Filename: /proc/ksyms
         \xe6\xb2\x92\xe6\x9c\x89\xe6\
    xad\xa4\xe4\xb8\x80\xe6\xaa\x94\xe6\xa1\x88\xe6\x88\x96\xe7\x9b\xae\xe9\x8c\x84
       ====略====
    -------------------------------------------------
    *** End of report ***

    Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered
    trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
    for details use --version. This is free software which may be redistributed
    or modified only under certain conditions; see COPYING for details.
    All rights reserved.
    Integrity check complete.
  • 修改 /var/www/html/index.php 之後
    Open Source Tripwire(R) 2.4.2.2 Integrity Check Report
    Report generated by:          root
    Report created on:            西元2013年02月05日 (週二) 01時49分02秒
    -------------------------------------------------
    Rule Name: WWW (/var/www/html)
    Severity Level: 100
    ------------------------------
    -------------------------------------------------
    Modified:
    "/var/www/html"
    "/var/www/html/index.php"

    ------------------------------
    -------------------------------------------------
    Rule Name: Root config files (/root)
    Severity Level: 100
    ------------------------------
    -------------------------------------------------
    Modified:
    "/root"
    "/root/.viminfo"